@el_su isse – tu leap.org – ena lean.com
SnowCamp - 25/01/2018
@el_su isse – tu leap.org – ena lean.com
Continuous Delivery and Secure Code Delivery : impossible ?
@el_su isse – tu leap.org – ena lean.com
Who Am I
● Thomas Gerbet (@el_suisse)
● @TuleapOpenALM contributor and maintainer
● @GreHackConf organizer
● Alpaca lover
@el_su isse – tu leap.org – ena lean.com
Secure Code Delivery: Defnition
● Getting software to your users in a way they can trust– Userbase Consistency Verifcation
– Reproducible Builds
– Cryptographic Signatures
@el_su isse – tu leap.org – ena lean.com
Userbase Consistency Verifcation
Everyone gets the same deliverable
Everyone can verify it
Prevent targeted attacks
Public append-only ledger
(Sorry, blockchains are not needed)
@el_su isse – tu leap.org – ena lean.com
Reproducible Builds
Code ⇔ Deliverable
Hard to backdoor the deliverable
Help if a maintainer is malicious or attacked
https://reproducible-builds.org/
@el_su isse – tu leap.org – ena lean.com
Cryptographic Signatures
Anchor of trust to maintainers
Software is released by the authorized people
@el_su isse – tu leap.org – ena lean.com
Secure Code Delivery: Challenges
● Userbase Consistency Verifcation– Mostly not supported by existing delivery software
– Infrastructure can be hard to maintain
● Reproducible builds– Heterogeneous build systems
– Codebase size
● Cryptographic Signatures– Releases frequency
@el_su isse – tu leap.org – ena lean.com
Tuleap release process
● What a Tuleap release is?– Delivered as RPM packages (GPG signature)
– Two kinds:
● Built out of tags (monthly snapshot)● Built out of master
● Continuous Delivery– Each contributions integrated triggers and publish a new release
– ~140 monthly releases
– Heavy use of Jenkins pipeline and Docker containers
@el_su isse – tu leap.org – ena lean.com
Tuleap packages signing (2012-2016)
● Only packages built from tags were signed
● No automation: process entirely manual
● GPG key used to sign the RPM packages:– Stored encrypted with the GPG keys of maintainers
– Master passphrase of the key also stored encrypted with the GPG keys of the maintainers
– In the best secret store: a Subversion repository
@el_su isse – tu leap.org – ena lean.com
Hard to Get Right, Easy to Fail
@el_su isse – tu leap.org – ena lean.com
No Audit Trail
● When was the key used?
● By who?
● And for what?
● Not even a slight chance to detect a compromise
● Can tell what happened
@el_su isse – tu leap.org – ena lean.com
Does Not Scale
● ~ 10/15mn to sign the packages:– Find the obscure wiki page describing the process
– Remember how GPG CLI tool works
– Read 3 times the wiki in the hope of not making mistakes
– Sign the packages (fnally!)
● 140 times a month?
@el_su isse – tu leap.org – ena lean.com
Tuleap packages signing (2012-2016)
~ Packages signed– Most used packages were not signed
✘ Automated
✘ Leak prevention
✘ Least privilege
✘ Auditing capabilities
@el_su isse – tu leap.org – ena lean.com
HashiCorp Vault
@el_su isse – tu leap.org – ena lean.com
HashiCorp Vault: Secret backends
● Store and generate secrets– AWS
– Consul
– Databases
– Key/Value
– PKI
– RabbitMQ
– SSH
– TOTP
– Transit (Cryptography as a Service)
– …
No GPG backend?
@el_su isse – tu leap.org – ena lean.com
Tuleap packages signing (early/mid 2017)
● Workaround for lack of Vault GPG secret backend– Store GPG key in the key/value secret backend
– Retrieve the GPG key whenever you need it
● Authenticate Jenkins against Vault– AppRole authentication backend with regular credentials rotation
– Jenkins credentials plugin
– Restricted policies
● Pass the GPG key from Jenkins to the Docker container doing the heavy lifting– Response wrapping: short lived and one use token allows the
container to get the key
@el_su isse – tu leap.org – ena lean.com
Tuleap packages signing (early/mid 2017)
@el_su isse – tu leap.org – ena lean.com
Tuleap packages signing (early/mid 2017)
✔ Packages signed
✔ Automated
~ Leak prevention– GPG key can easily be extracted by an insider
– Need to be very careful to not leak the key accidentally
~ Least privilege
~ Auditing capabilities– Retrieval of the key is logged
– What’s done with the key is not logged
@el_su isse – tu leap.org – ena lean.com
HashiCorp Vault: Plugins
● Possible since Vault 0.8.0 (August 2017)
● We can write our GPG secret backend
● Golang– (Almost) No prior knowledge of the language
– High level operations on GPG operations is already there
Challenge accepted!
@el_su isse – tu leap.org – ena lean.com
Tuleap packages signing (end 2017 - 2018)
@el_su isse – tu leap.org – ena lean.com
Call Vault from rpmsign(8)
Switch GPG binary by a small shell script (rpmsign option)
@el_su isse – tu leap.org – ena lean.com
Tuleap packages signing (end 2017 - 2018)
✔ Packages signed
✔ Automated
✔ Leak prevention
✔ Least privilege
✔ Auditing capabilities
@el_su isse – tu leap.org – ena lean.com
Outcome
● No universal solution for signing deliverable
● HashiCorp Vault– Integrates easily with your Jenkins pipeline and the rest of your
infrastructure
– Flexible secrets management
● Secure Code Delivery is a mandatory step to bring security into your SDLC process– Bringing it small steps by small is fne: it’s not a black and white
situation
@el_su isse – tu leap.org – ena lean.com
Play with it at home
RPM signing with HashiCorp Vault K/V backend and Jenkins pipelines
All resources (Jenkinsfles, Dockerfles, scripts…) are linked in the following blogpost
https://blog.tuleap.org/delivering-rpm-packages-securely-and-continuously-jenkins-and-hashicorp-vault
Vault GPG secret backend
https://github.com/LeSuisse/vault-gpg-plugin
Ongoing work to integrate it into Vault
@el_su isse – tu leap.org – ena lean.com
Questions?
@el_su isse – tu leap.org – ena lean.com
Why Not Sigul?
● Lots of unknown (to us) moving parts
● We already had HashiCorp Vault up and running
● No deployment outside of the Fedora infrastructure?
● Audit capacities unclear
@el_su isse – tu leap.org – ena lean.com
Vault GPG secret backend plugin performance
● ~1mn30 for our 84 packages (~150MB)
● No optimization have been done yet– Signing packages is done sequentially in our pipeline
– Network limitation
● Raw performance of the plugin will be improved once integrated directly into Vault
Top Related